What is Port Mirroring or SPAN?

What is Port Mirroring or SPAN?

A port mirroring session sends a copy of packets from one switch to a port on the destination (or monitor) switch. Mirror individual ports whenever possible. Ideally, mirror ports that are directly connected to the servers that host the applications of interest. The ideal location is a core switch in a network operations or data center. However, any switch with maximum visibility into the traffic of interest is acceptable.

In a Cisco environment, port mirroring is accomplished with the Switch Port Analyzer (SPAN) feature. SPAN lets you copy traffic from physical ports on a switch to another port on that switch.

You configure port mirrors by creating a monitor session consisting of a source and destination.

A session source consists of the following attributes:

• Session number: Differentiates a monitor session from others on the switch
• Session source: The physical ports or VLANS from which the SPAN copies data
  • Source ports can be L2 or L3 LAN ports.
  • Trunk and non-trunk ports can be used at the same time.
  • Do not configure WAN interfaces to be source ports (such as ATM interfaces).
  • Do not configure EtherChannel ports as source ports. IOS versions 12.1(13)E and later do not permit such configuration.
  • Do not mix physical ports and VLANs as sources within the same monitor session. Configure either physical ports or VLANs.
  • When you specify the source information using a VLAN or VLAN list, the SPAN function is known as VLAN SPAN or VSPAN. Sourcing from a VLAN adds every interface in the VLAN to the monitor session.
• Session direction: The direction of the traffic you want to copy: receiving (RX), transmitting (TX), or both (the default)

A session destination specifies the physical port to which the mirror port copies data. A destination port can be any physical port.

• With release 12.1(13)E and later of Cisco IOS, you can configure the destination port to be a trunk port. This configuration lets you forward VLAN tags to the collection device. You can use the switchport trunk allowed vlan command to filter the data that leaves the destination port.
• A destination port can service only one SPAN session and cannot be an EtherChannel port.
• A monitor session can have up to 64 destination interfaces.